CHIPS Articles: PII Lessons Learned from the DON CIO
PII Lessons Learned from the DON CIO
The DON Privacy office has received numerous reports of breach incidents involving the discovery of personally identifiable information (PII) left in vacated office spaces. In these incidents, file cabinets, desk drawers, and boxes were found to contain documents such as personnel files, visitor logs, fitness reports, and medical records. Unfortunately, identifying the office or command that is accountable can be difficult, as is determining accurate contact information for the individual owners of PII documents found. To increase awareness of this problem and what we can all do to prevent such events, a summary of recent incidents and the resulting lessons learned are provided below.
Recent incidents reported to the DON Privacy office:
- Boxes of PII stored in an unused shed adjacent to a hangar for six years.
- Many documents containing PII found in an office of an administrative building abandoned for six years after base realignment and closure.
- Boxes of PII found in the attic of an Echelon II headquarters building.
- File cabinet containing PII with proper DD Form 250 (Material Inspection and Receiving Report) transfer document found at the local Defense Reutilization Material Office (DRMO).
- PII found behind in office furniture on a decommissioned ship.
- Out-dated files containing sensitive PII present as much risk to individuals as current files still in use.
- All office moves have the potential to result in the loss or potential compromise of PII.
- As implied in the avoidance steps below, poor planning and a lack of management oversight are the leading causes of these breach incidents.
- Condemned or abandoned buildings should be thoroughly inspected and then secured.
- Condemned or abandoned buildings should be re-inspected on an annual basis.
How can these incidents be avoided?
- Develop a checklist for all office moves/closures that includes an item to search for PII.
- Ensure vacated office spaces are thoroughly searched and all documents are removed from desks and file cabinets.
- Ensure spaces are secured after buildings are vacated.
- Package all PII documents prior to office moves/closures and ensure all containers are accounted for at the new office.
- Destroy PII that is no longer required to be stored prior to an office move in accordance with the Department of the Navy Records Management Manual.
- Mark documents containing PII per the SECNAVINST 5211.5 DON Privacy Program series.
- Conduct a thorough inspection of desks, file cabinets, and other office equipment before disposal.
Reference documents cited above as well as additional privacy resources can be found on the DON CIO website.